Prerequisites

Make sure you are comfortable with Splunk Enterprise: Before you jump in, you should be comfortable installing Splunk Enterprise, starting it from the command line, and the usage of network Ports by Splunk. We're gonna be referring to some stuff in those domains that will absolutely confuse you if it's the first you're hearing of them.

You do NOT need to be a Docker expert: One thing you don't need to be is a Docker expert. In fact, I'm NOT a Docker expert at all! I'm just so happy with this idea that I couldn't help but want to share it, my poor Docker skillz notwithstanding.

Why Bother with a Sandbox?

"I'd like to get to the bottom of odd phenomenons and unexpected behavior, but I'm scared to break my environment."

"The more work I put into my environment, the more hesitant I am to try new things."

"I'd like to keep learning and experimenting."

"I need a proper testing environment to try out new ideas."

"I'd like an environment where I can just see what happens, without worrying about crashing."

Sandbox Tips

You don't HAVE to use Docker.

Any Sandbox that you're comfortable destroying will suffice. In .conf2016's Your Splunk Sandbox, I share a few options and considerations.

Make sure everyone has their own individual sandobx. A 'team sandbox' is inheritly flawed. If your team is sharing the sandbox, they will all be afraid to make changes that could impact each other. This will stifle their learning.

Setting Up Your Workstation

I suggest using your local workstation (laptop/desktop) machine. While you certainly can use a remote host, you should recognize that you may be introducing too much complexity. This burden of use could discourage you from using the sandbox altogether. If you are using Docker, it is much preferred to host the Docker environment locally. I would argue that the costs (e.g. disk space, admin exception) are well worth the benefits.

Download & Install Docker

Navigate over to Docker's official website and follow their instructions for downloading and installing docker on your target machine. At the time of this writing, there's a "Get Docker" menu on top of the page that will get your started and pass you along to a few different pages before you get the download going.

Remember, Docker is a different company and different product than Splunk. So if you run into problems with this part (navigating, downloading, and installing) you'll want to peek at the Docker documentation and/or work with Docker, not Splunk. OK, back to the fun!

Get the Splunk Enterprise Docker Image

The Splunk Enterprise Docker image is hosted on the Docker Store. Unlike the online stores we're used to, there's nothing to download on that particular page. Instead, you'll see instructions including the docker pull command for having your Docker install fetch and download the Splunk Enterprise Docker image. Follow those instructions and soon enough you'll see the component pieces of the image being downloaded. It'll look something like this:

Connect to the Splunk Docker Instance

Great! So...where is that Splunk instance we just created? Well, this is where the docker container command comes in handy. For example, if I run docker container list -a I'll see the following columns in my output. Here's the relevance of each of these headers:

Column Header

Purpose

CONTAINER ID

unique ID for reference

IMAGE

that it was built from

COMMAND

not relevant for this topic

CREATED

when it was born

STATUS

how long it's been turned on/off

PORTS

Port mappings. We'll get into this in a moment below.

NAME

Name assigned (random unless you manually assigned one).

Ports

OK, I promised I'd elaborate on that one, since the notation might be a bit new to you. But fear not! It's really quite simple.

You'll probably see something like this, but with different numbers to the left of each '->':

If you've gone cross-eyed, take a step back. You should see that we've just got ourselves a collection of port pairings...and you might even notice some of the right-hand side ports look very Splunk-y. What happened here is Docker has made those ports available for you to access from your machine, but randomly assigned to different ports.

This reassignment might seem annoying if you're used to installing Splunk on your local machine but trust me, it is a huge benefit! Imagine having dozens or hundreds of Splunk containers all running at the same time. You don't need to mess with port conflicts! The instances can all run simultaneously without you having to administer different ports! Boooya!

Now let's look at each individual pairing. We've got:

0.0.0.0:<port>-><splunk default port>/<protocal>

It's saying that if you go to the left side of the arrow (->) Docker's networking mapping magic will forward those requests to the port listed on the right side of the arrow as the specified protocol. Let's look at the following example:

0.0.0.0:32784->8000/tcp

If we put 0.0.0.0:32784 in a browser (or localhost:32784), Docker will send those requests to the container's service listening on port 8000 as tcp. Since SplunkWeb's default port is 8000, you'll see something like this:

Editing *.conf Files

While you can certainly use SplunkWeb to make changes to the environment, you'll probably get to a point where you want to manually edit .conf files or save your work from the container. This is where things get a bit annoying. That's because the Docker container doesn't have much installed out-of-the-box, not even vi/vim! So, while you can explore the container's terminal using docker exec -it <container name|id> bash, you might not want to given other options.

I probably sound a bit crazy right now, but the reality is that in order to be successful we need to keep our work entirely separate from our sandboxes. This will allow us to destroy our sandboxes and rebuild without a worry in the world. With that in mind, I prefer to mount a folder from my desktop into the container as a Splunk app. By mounting that folder as a volume, I can manage the contents (add/remove/edit files) with my preferred navigator (Mac Finder, Windows Explorer, terminal, etc...) and my preferred editor (vi, SublimeText, Notepadd++ etc...). Since the folder is mounted as a volume, the changes I make locally are reflected within the container.

The syntax for this is the -v option when I first instantiate the container. docker help run informs us that this parameter is used to Bind mount a volume. An example of the syntax is if we insert within the run command:

In this example, local_app is the folder on my system and container_app is how it appears on the container's filesystem. Notice that it's slipped into the docker help run between other parameters but before we call out the image (splunk/splunk).

Next Steps

Congratulations! You've gotten your basics on how to use Docker as your Splunk Enterprise sandbox. We're all done here and I hope you enjoyed this. If you want to learn more, here's some resources worth checking out. Enjoy and happy Splunking!

Container Resources: You can adjust the computing resources available to Docker. This allows your containers to use CPU and Memory. The Mac Download Page shows some of those tweaks available in the Docker preferences.

Data Volume License Increase: Your Splunk instances will be using the free license. Remember that if you're violating the license, it's probably easier to just destroy and create a new Docker container than it is to implement a Development License. Remember that if you are afraid to destroy your container because you put work into then you likely could be Sandboxing better: separate the work from the sandbox so you can rebuilt without pain!

Upgrade Splunk (Image): When it's time to upgrade your Splunk image, simply run docker pull splunk/splunk:latest. Don't bother upgrading the containers themselves. If you are Sandboxing correctly, it should be no problem to destroy the old containers and create new ones on the newer Splunk Enterprise image release.

Burch is what happens when you mix a passion for technology with a love for performing comedy. If you find a Burch in the wild, engage lovingly with discussions of Splunk Best Practices and your hardest SPL challenges.